Mac Spyware: OSX/KitM (Kumar in the Mac)

There’s another case of Backdoor:OSX/KitM.A in the wild.

A German-based investigator reached out to us yesterday regarding OSX/KitM. (We wrote about it last week.) KitM stands for “Kumar in the Mac”, which is our designation for spyware — related to OSX/Filesteal a.k.a. OSX/HackBack — that is signed using an Apple Developer ID in the name of Rajinder Kumar. The Developer ID has since been revoked by Apple.

This latest version of OSX/KitM used a Romanian C&C server called during the period of attack, December 2012 to early February 2013. The spear phishing used an attachment called (Remember, the attack started in December.)

So, that brings us to this bit of advice for those of you who might be targets.

This is the default “Gatekeeper” security setting:

Mac, Security & Privacy
Mac App Store and identified developers

This is the setting that you want, unless you’re actively installing software:

Mac, Security & Privacy
Mac App Store

This is the prompt that results when OSX/KitM attempts to install with the stricter setting:

Kumar's Christmas Card

If you’re running OS X Mountain Lion or Lion v10.7.5 — adjust your settings as an extra layer of precaution.

SHA1: 290898b23a85bcd7747589d6f072a844e11eec65

On 22/05/13 At 12:45 PM

Read more: Mac Spyware: OSX/KitM (Kumar in the Mac)

Story added 22. May 2013, content source with full text you can find at link above.